Check out the latest edition of Business Solutions from ITS!
It’s that time of year – 2018 rolls to a close and 2019 looms around the corner, and holiday door schedules need set.
If you are logging into your door system to change door times for Christmas and New Year’s holidays, consider changing all known holidays at once. For your convenience, 2019 Federal Holidays are listed below:
Tuesday, January 1 – New Year’s Day
Monday, January 21 – Birthday of Martin Luther King, Jr.
Monday, February 18 – President’s Day
Monday, May 27 – Memorial Day
Thursday, July 4 – Independence Day
Monday, September 2 – Labor Day
Monday, October 14 – Columbus Day
Monday, November 11 – Veteran’s Day
Thursday, November 28 – Thanksgiving Day
Wednesday, December 25 – Christmas Day
Remember that you can also change your business hours temporarily on facebook (or make a sticky post) and edit your Google Business listing to let your customers know your open/closed status.
A new week brings a new series of targeted email threats. Round one is a twist on the recent sextortion campaigns, but places clients in a more difficult situation. Many of the emails contain physical threats: bombs brought into buildings or mercenaries waiting outside with acid. Just like the round of webcam sextortion emails that cycled recently, payment in bitcoin is demanded to escape the threatened situation.
Round two is a series of emails from “executives” within your company requesting gift card purchases for company gifts.
I Know It’s You, Bob
Last week, we fielded two helpdesk calls with the latter type of phishing email, likely also integrating some social engineering components. The emails claimed to be from company executives, and were sent to other employees within the company. In the emails, the executive asked the employees to purchase gift cards for him to use as corporate Christmas gifts. The executive also asked for them to remove the privacy strip and report the redemption code back to him for use online. In both cases, the employees saw the emails as odd, and responded to the executive for clarification. The executive responded back, in a somewhat personal manner and repeated the request, as the replies were going to the spoofed address instead of the executive’s actual email address.
Eventually, both companies contacted ITS to take a look, and we were able to help them confirm that the emails were targeted phishing. Screenshots below show how the address was spoofed and not actually from the company executive. However, when the employee replied, they only saw the sender name and not the sender address, creating the illusion that the executive was sending/receiving these requests.
How Is My Information Found?
When clients see these phishing attempts come through, they often wonder how their information is found. How do scammers know who the president is, who handles the books, or who the most likely candidate for buying gift cards would be? The information could have come from your website, where staff, titles and roles are shared to be helpful and inviting. Small details about your company may have also come from a targeted phone call to your business.
Just today when I was reading reports on this latest round of email threats, our incoming phone line rolled over to me. I answered, and fielded a call asking for a specific co-worker. As the co-worker was in a meeting, I asked if I could take a message or offer assistance. The caller proceeded to give his name and company, which was not something I recognized. The caller asked for the email address of the co-worker, which I declined to share. Being a good gatekeeper on the phone is a great way to limit social engineering via telephone. If people call and ask for details about your business, your staff and operations, or ask for specific email addresses, etc., make sure that you know who the caller is and why they need that information. A caller that is able to collect useful pieces of information about your business and your staff is one who may also use/share that data later for nefarious purposes.
How Do I Mitigate Risk?
- If an email request seems odd or out-of-character, personally contact the sender via phone or face-to-face to ask about the requested transaction. Replying via email is not always a safe choice, as you may be replying to the scammer’s email address and not the address of your coworker.
- Consider the information on your website: what is necessary for clients and prospective clients? What information is too much information and could aid scammers?
- Train phone handlers to be good gate-keepers; don’t let them give out email addresses, cell phone numbers, titles or names unless they can validate the request for information.
- Develop a policy for any financial requests. Make sure that your bank/bankers also have a security protocol for money transfer requests.
We have received several helpdesk tickets regarding an email with some eerily personal information and threats.
The email contains one of your current or former passwords, likely posted on the internet after a data breach at a company where those credentials were used. The emails continue to describe footage captured of you on your webcam and requests a bitcoin ransom to keep the footage from being shared.
The email is a hoax.
Yes, your password was at one time compromised. If you are still using that password anywhere, change it!
Do not reply to the email or interact with the sender. You do not need to make a payment, and there is no footage.
Think about your passwords on other websites and whether they may need changed:
-Use long and strong passwords: Consider using an entire phrase instead of one word.
-Use unique passwords: Each website or service requires a new and different password.
-Consider using two-factor authentication when available, so you are also required to receive and submit a code in addition to your password.
The holiday shopping season and online deals seem to arrive earlier each year; now is a great time to review some online shopping safety tips, and prepare your computer or device for a safe shopping experience.
- Look for a secure checkout page. This is generally indicated with a padlock in the browser’s address bar and an address that begins with: https:// (instead of http://)
- Read reviews for new or unfamiliar digital storefronts – even sites with https:// can still be a scam or skim your payment information, and other shoppers may have posted reviews or warnings online.
- Use unique passwords for each site; if a website is hacked, there is a good chance your credentials will be posted online or sold to the highest bidder. If you use the same email/password combination for multiple websites, these accounts also become vulnerable.
- When setting up accounts, consider adding two-factor authentication when it is available. This may send a code via text message or email to guarantee your identify.
- As you scroll through the purchase screens, look carefully at the boxes you can check/uncheck regarding your email address. You can often choose to only receive messages related to your specific order, and eliminate extra email in your inbox advising you of sales and special discounts months from now. A clean inbox is a safer inbox!
- Check your computer and browsers for updates. You should also check your browser for added extensions/plugins, check the preferred search engine and check the homepage/new tab settings. Odd settings in these areas can often be a sign that your browser was hijacked or you have virus/malware or other unfriendly installation on your computer.
- Consider a Virtual Credit Card if your provider offers this service: a virtual card acts like a digital representation of your real credit card. Your virtual card can simply be deleted if compromised, instead of ordering and waiting for a new physical credit card.
- Limit the amount of transactions or business you perform over public Wi-Fi connections.
- Don’t click on links in online advertisements or in your email without checking their validity first: hover over the links without clicking to see a preview of the destination address. Some websites are really tricky – can you see the difference between www.amazon.com and say www.amaz0n.com? The second address has a zero instead of the normal spelling.
- Don’t open attachments in an email unless you are expecting an attachment from that sender. A current threat is a fake invoice sent from users in your contact list. You might be familiar with the person sending the email, but does that person normally send your invoices? It is always a good idea to contact the sender personally before opening, to ask if they intended to send you an attachment.
- Be cautious when installing shopping, coupon and holiday apps – especially on Android devices. Apps will often appear to offer great shopping deals, but may actually steal your data.
- When shopping at a new online venue, search for online reviews or ratings. Use the words “fraud” or “scam” in your search. Pay attention to grammar, spelling and design on the website – if anything appears “off”, the website may be a scam, and the deals too good to be true.